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Abstract —Correlated sources are present in communication 
systems where protocols ensure that there is some predetermined 
information for sources. Here correlated sources across an 
eavesdropped channel that incorporate a heterogeneous encoding 
scheme and their effect on the information leakage when some 
channel information and a source have been wiretapped is in¬ 
vestigated. The information leakage bounds for the Slepian-Wolf 
scenario are provided. Thereafter, the Shannon cipher system 
approach is presented. Further, an implementation method using 
a matrix partition approach is described. 

I. Introduction 

Practical communication systems make use of correlated 
sources, for example smart grid meters. Each smart grid meter 
for a particular grid conforms to certain protocols and this 
means that certain information (e.g. date, area, etc.) in the 
header files will be the same for various meters. From the 
receiver’s (or an eavesdropper’s) perspective, it appears as 
common information shared between the meters. This is there¬ 
fore pre-existing or known information for an eavesdropper. 
Thus, correlated sources are common in systems transmitting 
information, e.g. smart grid meter systems. This implies that 
the theory used for correlated sources may also be applied to 
this type of system. 

Correlated source coding incorporates the lossless com¬ 
pression of two or more correlated data streams. Correlated 
sources have the ability to decrease the bandwidth required to 
transmit and receive messages because a compressed form of 
the original message is sent across the communication links 
instead of the original message. A compressed message has 
more information per bit, and therefore has a higher entropy 
because the transmitted information is more unpredictable. The 
unpredictability of the compressed message is also beneficial 
for the information security. 

In practical communication systems links are prone to 
eavesdropping and as such this work incorporates wiretapped 
channels, more specifically the wiretap channel II. In work by 
Aggarwal et al. [T) it is seen that an eavesdropper can be active 
and can erase/modify bits. They develop a perfect secrecy 
model for this scenario. The eavesdropper that we investigate 
is a passive wiretapper, who cannot modify information. The 
mathematical model for this wiretap channel has been given 
by Rouayheb et al. j2j, and can be explained as follows: 
the channel between a transmitter and receiver is error-free 
and can transmit n symbols from which /i of them can be 


observed by the eavesdropper and the maximum secure rate 
can be shown to equal n — /x symbols. The wiretap channel II 
was described by Ozarow and Wyner 0 with a coset coding 
scheme. This wiretap channel can even be looked at from 
a Gaussian approach. A variation of this Gaussian wiretap 
channel has been investigated by Mitrpant et al. J4'|. In this 
work we use an information theory approach and provide a 
link to coding theory. There has been work done on wiretap 
channels for a coding approach. The first was done by Wei [5J 
who presented the generalized Hamming weight to describe 
the minimum uncertainty that an eavesdropper has access to. 
Thereafter characteristics on this channel were introduced by 
Luo et al. [j6j. The characteristics focused on were those 
pertaining to Hamming weights and Hamming distances in 
order to determine the equivocation of a wiretapper. Thereafter, 
the security aspect of wiretap networks has been looked at 
in various ways by Cheng et al. [7j, and Cai and Yeung 
emphasizing that it is of concern to secure this type of 
channels. 

The difference between the original wiretap channel and the 
wiretap channel II is that the latter is error free. In an inter¬ 
esting application of the wiretap channel and wiretap channel 
of type II, Dai et al. [j9J presented a model that incorporates 
compromised encoded bits and wiretapped bits from a noisy 
channel. The concept of a noiseless transmission gives rise to 
an ideal situation in terms of noise when analyzing the model. 
Here, we consider a scenario where an eavesdropper has access 
to more than just the bits from the communication links. Luo 
et al. [6|, in some previous work, have described a similar sort 
of adversary as more powerful. In addition to the eavesdropped 
bits from the communication links, the eavesdropper also has 
access to some data symbols from the two remaining sources. 
In other previous work the information leakage for two 
correlated sources when some channel information from the 
communication links had been wiretapped was investigated. 
Intuitively from this work, it is seen that there is indeed more 
information gained by the more powerful eavesdropper, not 
just in terms of the source symbols but in terms of the source 
being considered, which results from the fact that the sources 
are correlated. This makes it easier for the eavesdropper to 
determine the transmitted message and information about the 
source of concern. 

This extra information that the eavesdropper has access to 
can be considered as side information to assist with decoding. 
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Villard and Piantanida m have also looked at correlated 
sources and wiretap networks: A source sends information to 
the receiver and an eavesdropper has access to information 
correlated to the source, which is used as side information. 
There is a second encoder that sends a compressed version 
of its own correlation observation of the source privately to 
the receiver. Here, the authors show that the use of correla¬ 
tion decreases the required communication rate and increases 
secrecy. Villard et al. have explored this side information 
concept further where security using side information at the 
receiver and eavesdropper is investigated. Side information is 
generally used to assist the decoder to determine the transmit¬ 
ted message. An earlier work involving side information was 
done by Yang et al. ED- The concept can be considered to 
be generalized in that the side information could represent a 
source. It is an interesting problem when one source is more 
important and Hayashi and Yamamoto El have considered it 
in another scheme with two sources, where only one source is 
secure against wiretappers and the other must be transmitted to 
a legitimate receiver. They develop a security criterion based 
on the number of correct guesses of a wiretapper to attain 
a message. In this paper the source data symbols may be 
seen as side information to the eavesdropper, which is further 
explained in Section II. 

Shannon’s secrecy model is an interesting avenue for this 
work. Previous work [ 10jj has looked at a model for Shannon’s 
cipher system when there is wiretapping at the channel only. 
Merhav E) investigated similarly, for a model using the addi¬ 
tional parameters of the distortion of the source reconstruction 
at the legitimate receiver, the bandwidth expansion factor of 
the coded channels, and the average transmission cost. 

In the model presented herein two correlated sources and 
a third source having correlation to one other source, which 
may also be wiretapped is considered. The paper is arranged 
in nine sections. Section II puts forth a description of the 
model and Section III presents the information leakage quan¬ 
tification for this model. The information leakage is a new 
concept developed and quantifies how much of information 
the adversary/eavesdropper has access to. The proofs for the 
information leakage quantification are presented in Section 
IV. In Section V, the Shannon cipher system approach is 
presented, where channel and key rates for perfect secrecy 
are determined. In Section VI, the practical investigation is 
detailed. Thereafter, similar models are discussed in Section 
VII and the paper is concluded in Section VIH and the 
Appendix that details the proofs for the theorems developed 
for the Shannon cipher approach are contained in Section IX. 

II. Model 

The independent, identically distributed (i.i.d.) sources X , 
Y and Z are mutually correlated random variables, depicted 
in Figure [T] The alphabet sets for sources X, Y and Z are 
represented by X and y and Z respectively. Assume that X K 
and Y k are encoded into two channel information portions 
represented by their common and private information portions. 
We can write Tx = {Vcx,Vx) and Ty = ( Vcy,Vy ) 
where Tx and Ty are the channel information of A' and Y 


respectively. The Venn diagram in Figure [2] easily illustrates 
this idea. Each source is composed of K bits, and for source 
Z K , p of these symbols are considered as the predetermined 
information and is leaked to the wiretapper (/< < K). 


z K x K y k 



x k ,y k 


Figure 1. Correlated source coding for heterogeneous encoding scheme with 
X and Y transmitting compressed information 


X Y 



Figure 2. The relation between private and common information 

This encoding scheme, as specified in E) reaches the 
Slepian-Wolf bound. Here, the length of Tx and Ty is not 
fixed, as it depends on the encoding process and nature of the 
Slepian-Wolf codes. 

The correlated sources X, Y and Z transmit messages (in 
the form of some channel information) to the receiver along the 
channel. The decoder determines X and Y only after receiving 
Tx and Ty. 

The eavesdropper has access to either the common or private 
portions given by Tx and Ty and the eavesdropped source 
information Z 1 ' . The effect is that the eavesdropper has access 
to some compressed information (that is transmitted across the 
communication link after encoding) and some uncompressed 
information (i.e. the source Z’s data symbols). It is valuable 
to determine how much of information this eavesdropper has 
access to when wiretapping the private or common information 
portions (this is described in the next section). 

Here, for X K and Y K typical set encoding and decoding 
is used. We are able to determine bin indices for the typical 
sequence from the indices passed over the communication 
channel. When common or private information from the 
syndromes are wiretapped it gives an indication of which 
row/column in the specific look up table the sequence is 
contained within. The encoding and decoding for X and Y has 
been described in detail in previous work El- The decoding 
probabilities follow. 

From the Venn diagram we see that the private information 
and common information produced by each source should 
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contain almost no redundancy. Here, Vox, Vx, Vy, Vcy are 
asymptotically disjoint, which ensures that there is almost no 
redundant information sent to the decoder. 

In previous work [10), we have considered the common 
information that Vex and Vcy represent, which was found 
to be /(X; Y). Here, we begin to explore the nature of codes 
when there are three correlated sources. We first define the 
prototype code: For any eo > 0 and sufficiently large K, 
there exits a code Wcx = Fcx(X K ), Way = Fcy(Y k ), 
X k ,Y k ,Z k , where W x £ I Mx , W Y £ I My , W C x £ 
I m c x and Wcy £ I m cy for /,v/„, which is defined as 
{0,1,..., M a — 1}, that satisfies, 

Pr{X K , Y k ± X K , Y k } < e 0 (1) 


III. Information Leakage Using Slepian-Wolf 
Approach 

In order to determine the security of the system, a measure 
for the amount of information leaked has been developed. 
The obtained information and total uncertainty are used to 
determine the leaked information. Information leakage is indi¬ 
cated using Lg. Here V indicates the set of sources for which 
information leakage is being quantified. Further, Q indicates 
the transmitted sequence that has been wiretapped. 

The information leakage bound for the cases where informa¬ 
tion from all three links are wiretapped is investigated. There 
are two cases considered: 

Case 1: Leakage on Y when Ty , 7 V. Z l ‘ are wiretapped. 
Case 2: Leakage on X when Ty, T x , Z v are wiretapped. 

The information leakage for these cases is as follows: 


H(X\Y,Z)-e 0 

< 

^H(Wx) < log M y 



< 

H{X\YZ) + e 0 

(2) 

H(Y\X, Z) — e 0 

< 

H(Wy) < log My 



< 

H(Y\X) + e 0 

(3) 


< ^[H(V y )+H(Vcy)-H(Y k ) 

+ I{T y -Y k ) + I(T x -Y k ) 

+ I{Ty,T x \Y K ) + I(Y K -Z‘ x )+I(Ty,Z^\Y K ) 
+ I{T X ; Z^\Y K , Ty) — I(T X - T y ) — I(T X - Z^) 
- I(Ty,Z^\T x )\ + 6 (9) 


< 


/(X; Y) - e 0 < ^ \og[H(W CX ) + H(W C y)\ 
/(X;F) + e o (4) 


^H(X K \V Y )>H(X)-e 0 


(5) 


Ly, Tx .z, < ^[H(V x ) + H(V cx )-H(X k ) 

+ I(Ty,X K )+I(X K -,T x ) 

+ I(T y -T x \X k ) + I{X K ; Z») + I{Ty ; Z^\X K ) 
+ I(T X ; Z»\X k ,T y ) - I(T X -Ty) - I(Z»-,T X ) 
- I(T Y -Z»\T x )\+8 (10) 


^H(Y K \V X ) >H(Y)-e 0 (6) 

^-H(Z K \Vy)>H(Z)-e 0 (7) 

A 

We can see that 0-0 mean 

H(X,Y) - 3e 0 < ^(H(W X ) + H(W CX ) + H(W Y ) 

+ H(W C y)) < H(X, Y) + 3e 0 (8) 

Hence from |T|, ([8]) and the ordinary source coding theorem, 
(Wj, Wy, Wcx and Wcy) have almost no redundancy for 
sufficiently small eo > 0. Equations <|TJ - ([R]i have been proven 
in m for two sources. 

This model can cater for a scenario where a particular 
source, say Y needs to be more secure than X (possibly 
because of eavesdropping on the Y channel only); we would 
need to secure the information that could be compromised. 
A masking approach to achieve this is described in previous 
work (D- 


Here, T x and Ty are the compressed sequences and in 
terms of the information quantity they include either the 
private or common portion. Thus, we can see the above bound 
as a generalised result for wiretapping X’s or F’s links, when 
the source Z is leaked. The portion Z 1 ' could be leaked from 
the private or common portion of Z\ this is therefore also a 
generalised representation for the leaked portion for Z. 

This is interesting because this case deals with correlated 
sources and as such intuitively it is known that there is some 
information that may be leaked by an alternate source. The 
common information component between all sources is the 
maximum information that can be leaked by another source. 
For this case, the common information Vex an d Vcy can 
thus consist of added protection to reduce the amount of 
information leaked. 


IV. Proof of Information Leakage Bounds 

This bound developed in (|9]i is proven below. 

Proof for 0: First, H(Y K \Ty,T x , Z^) is determined, 
as to perform the information leakage calculation we need to 
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fmdH(Y)-H(Y\T Y ,T x ,Z») 


Proof for ( fTO| >: 


4 H{Y k \T y ,T x ,Z») 

A 

= 4 ( y ^, TV, Tx, Z») - H(T y , Tx , Z")] 

= Uh{¥ k ) + //(Ty|y A ) + //(Tx|Ty,y A ) 

A 

+ H(Z»\Y k ,T y ,T x ) - (H(T y ) + H{Tx\Ty) 

+ H(Z»\T y ,T x ))] 

= ^[H(Y k ) + ( H(T V ) - /(TV; Y k )) + ( H(T X 

A 

I(Y K ; T x ) - I(T y -,T x \Y k )) + (H(Z») - I(Y K -Z 
/(TV; ^|y A ) - J(T X ; Z»\Y K , Ty)) - //(Ty) 
(H(T X ) — I(T x ;T y )) — (//(Z M ) 

- I(Z»-T x )-I(Ty-,Z»\T x ))} 

= + ^(^V) - /(TV;l rif ) + H(T x ) 

A 

I(Y K ; T x )) - J(T f ;Tv|F a ') + //(Z^) - /(y A ;Z^) 

- /(/¥;^|y A ) - /(Tx;^|y x ,ry) - //(/» 

//(Tx) + /(Tx; Ty) - H(Z») + /(Z"; Tx) 

+ I(T y ;Z»\T x )\ 

= ^[H{Y k ) - I(T y ; Y k ) - I(Y K -T X ) 

- I(T y ;T x \Y k )-I(Y k -,Z»)- I(T Y ;Z li \Y K ) 

- I(T x -Z»\Y k , Ty) + /(Tx; T Y ) 

+ /(Z'*;Tx) + /(Ty;Z'*|Tx)] (11) 


where (a) results from the chain rule expansion for 
H{Y,T y ,T x ,Z») and H(T Y ,T X ,Z») and (6) results from 
the property that the conditional entropy is the same as the 
mutual information subtracted from the total uncertainty, i.e. 
H(X\Y) = H(X) — I(X;Y). Here, (c) is arithmetic, where 
the terms H(T Y ), H(T X ) and H(Z^) cancel. 

The information leakage is thus: 


L 


y k _ 

T Y ,T x ,Zr — 


< 

+ 

+ 

+ 

+ 

+ 

+ 

+ 


H(Y)~ ^H(Y k \T y ,T x ,Z») 

f^[H{Vy) + H(Vcy) — H(Y k ) 

I(T y -,Y k ) + I(Y k ; Tx) + /(T r ; T x \Y K ) 
I{Y k ; Z^) + /(Ty; Z^\Y k ) 

/(Tx; Z»\Y k ,T y ) - (/(Tx; Ty) 
J(^;Tx)+/(Ty;^|Tx))]-6 

^[H(V y ) + H(Vcy) - H(Y k ) 

I(T y -,Y k ) + I(Y k ; Tx) + /(Ty; T x \Y K ) 
I(Y k -Z») + I(T y -,Z»\Y k ) 
I(T x -Z»\Y k ,Ty)-I(T x ;T y ) 
I(Z»-,T x )-I{T y -,Z»\T x )}+6 (12) 


which proves (|9). 


^H(X k \T y ,T x ,Z^) 

= ^[H(X K , Ty,Ty, Z") - H(T y ,T x ,Z»)} 

= 1[ H{X k ) + H(T y \X k ) + H(T x \T y ,X k ) 

+ H(Z^\X K ,T Yl T x ) - (H(T y ) + H(T x \T y ) 

+ H{Z»\T y ,T x ))] 

= H(X k ) + (H(Ty)-I(T y -,X k )) 

+ (//(Tx - I(X K ; Tx) - /(Ty; T x \X k )) + (H(Z») 

- I{X K -Z V) - /(Ty; Z»\X K ) - I{T x -Z^\X k , T y )) 
//(Ty) - (//(Tx) - /(Tx;Ty)) - (H(Z») 

- /(Z'*;Tx)-/(Ty;Z'*|Tx))] 

= ^[//(X) + //(Ty) - /(Ty; X A ) + //(Tx) 

/(X A ; Tx)) - /(Ty; Tx|X A ) + H(Z») - /(X A ; Z") 
/(Ty; Z^|X A ) - /(Tx; Z^|X A ,Ty) - H(T V ) 

H(T X ) + /(Tx;Ty) - //(Z^) + I{Z^T X ) 

+ /(Ty; Z M |Tx)] 

= -^[//(X A )-/(Ty;X A )-/(X A ;Tx) 

- /(Ty;Tx|A' A ) - /(X A ;Z^) - /(Ty; Z^X^) 

- /(Tx;Z^|X A ,Ty)+/(Tx;Ty) 

+ /(Z M ; Tx ) + /(Ty; Z^ 1 |Tx )] (13) 

where (ci) results from the chain rule expansion for 
//(X, Ty, Tx, ) and H(T Y ,T X ,Z») and (e) results from 

the property that the conditional entropy is the same as the 
mutual information subtracted from the total uncertainty, i.e. 
H(X\Y) = H(X) — I(X-Y). Here, (/) is arithmetic, where 
the terms H(T Y ), H(T X ) and //(Z^) cancel. 

The information leakage is thus: 


L 


x _ 

Ty,Tx,ZV — 


< 

+ 

+ 

+ 

+ 

+ 

+ 


H(X k ) - -^Z/(X A |Ty,Tx, Z M ) 

A 

hH{V x ) + H(Vcx) - H(X K ) 

A 

/(Ty;X A )+/(X A ;Tx) 

I[T Y -T x \X K ) + /(X A ; Z*) + I(T y -,Z»\X k ) 
/(Tx;Z^|X a Ty) - (/(Tx;Ty) 

/(Z^;Tx) + /(Ty;Z^|Tx))]-5 

^[/(Ty;X A ) + /(X A ;Tx) 

/(Ty; Tx|X A ) + /(X A ; Z M ) 

+/(Ty; Z^|X A ) + /(Tx; Z^|X A Ty) 

/(Tx; Ty) — /(Z^ 4 ; Tx) 

/(Ty; Z m |Ty)] + <5 (14) 


which proves ( flQ| ). 

This section shows the information leakage for when various 
portions of the channel information and some source data 
symbols are leaked. It is evident that the eavesdropper has 
more information about a particular source as shown in ([T2|) 
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and ( [T4| than if only one or two links transmitting compressed 
information were wiretapped. This can be drawn from a 
comparison of some previous work (10). The interesting cases 
explored for <0> and © demonstrate that the source Z 
contributes to leakage for X and Y ; this is due to the common 
information shared between them. 

Equations (J9]l and ( [T0| i indicate that the information leakage 
is upper bounded by the common information portions indi¬ 
cated. The information leakage in (|9]l and ([TO]) can be reduced 
if the common information portions are secured. Equations |9]) 
and ( fT0| can be verified using the Venn diagram in Figure [2] 

V. Shannon Cipher Approach 

Here, we discuss Shannon’s cipher system for three corre¬ 
lated sources (depicted in Figure |5J. The two source outputs 
are i.i.d random variables X and Y, taking on values in the 
finite sets X and y. Both the transmitter and receiver have 
access to the key, a random variable, independent of X K and 
Y k and taking values in lM k = {0,1,2,..., M k — 1}. The 
sources X K and Y K compute the ciphertexts W\ and W 2 , 
which are the result of specific encryption functions on the 
plaintext from X and Y respectively. The encryption functions 
are invertible, thus knowing W\ and the key, k x for X then 
X can be retrieved. The key for Y is represented as ky. 

The mutual information between the plaintext and ciphertext 
should be small so that the wiretapper cannot gain much in¬ 
formation about the plaintext. For perfect secrecy, this mutual 
information should be zero, then the length of the key should 
be at least the length of the plaintext. 


Z K X K Y K 



x k ,y k 


Figure 3. Shannon cipher system for three correlated sources 

The encoder functions for X and Y, (Ex and Ey respec¬ 
tively) are given as: 


E x : X K x lM kx 

Im' x — {0,1,.. 

■M x - 1 } 


I M’ CX = {0,1, 

...,M' CX - 10-15) 

Ey ■ y K x IM kY ► 

Im' y = {0,1,.. 

- , My — 1} 


Im' cy = {0,1,. 

• •, M'cy — 1|16) 

The decoder is defined 

as: 



Dxy ■ {hi ' x , hi [., Im' cx > Im ' cy ) x lM kx ,lM kY 

—> x K x y K (17) 


The encoder and decoder mappings are below: 


W 1 =F Ex (X K ,W kX ) 

(18) 

W 2 = F Ey (Y K ,W kY ) 

(19) 

X K = F nx (WyW 2 ,W kX ) 

(20) 

y K = F Dy (W-t, W 2: W k y) 

(21) 

or 


(X K , Y K ) = F Dxy (WyW 2 , W kX , W k y) 

(22) 

The following conditions should be satisfied for cases 

1- 4: 

log Mx < Rx + e 

(23) 

], log My < Ry + e 

K 

(24) 

— log M k x < Rkx + e 

(25) 

— log M k y < R k y + e 

A 

(26) 

Pr{X A ^ X K } < e 

(27) 

Pr {Y k ^ Y k } < e 

(28) 

<h x +e 

A 

(29) 

4 H(Y k \W 2 ) <h Y + e 

(30) 

^H(X K ,Y K \W U W 2 ) < h X y + e 

A 

(31) 

where R x is the rate of source V’s channel and Ry is 
the rate of source F’s channel. Here, ( R kx ,RkY ) is the rate 
of the key channel when allocating a key to X and Y . The 


security level for X and Y are measured by the total and 
individual uncertainties, ( hx,hy ) and h X y respectively. 

The cases 1-3 that are considered are as follows: 

Case 1: When (W\, W 2 , Z^) is leaked and (. X K ,Y K ) needs 
to be kept secret. The security level of concern is represented 

by j t H(X K ,Y K \W 1 ,W 2 ,Z*). 

Case 2: When (Wi,W 2 ,Z /J ’) is leaked and (. X K ,Y K ) needs 
to be kept secret. The security level of concern is represented 
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by (Xh(X k \W 1 ,W 2 ,Z^,X H (Y k \W 1 ,W 2 ,Z^)). 

Case 3: When (Wi,W 2 ,Z m ) is leaked and Y K needs to be 
kept secret.The security level of concern is represented by 
^H(Y k \W 1 ,W 2 ,Z^). 


The admissible rate region for each case is defined as 
follows: 

Definition la: (Rx, Ry, Rkx, RkY, hxy) is admissible 
for case 1 if there exists a code ( Fe x , Fe xy ) and (Fe y , 
Fd xy ) such that ( |23[ i - ( [28] ) and ( |3 11 hold for any e —> 0 and 
sufficiently large K. 

Definition lb: (Rx, Ry, Rkx, RkY, h\, hy) is admissible 
for case 2 if there exists a code ( Fe x , F Dxy ) and (Fe y , 
Fd xy ) such that ( |23| - ( |30| > hold for any e —» 0 and 
sufficiently large K. 

Definition lc: (Rx, Ry, Rkx, RkY, hy) is admissible for 
case 3 if there exists a code (Fe y , Fd xy ) such that ( |23[ i - 
( |28| > and ( [30] ) hold for any e —> 0 and sufficiently large K. 
Definition 2: The admissible rate regions of IZj for case j 
are defined as: 


Ri(hxy) = {(Rx, Ry, Rkx, Rky) ■ 

(Rx, Ry, Rkx, RkY, hxy) is admissible for case 1} (32) 


R'tihx , hy ) = { (Rx, Ry, Rkx , Rky) ■ 

(Rx , Ry, Rkx , RkY,hx,hy) is admissible for case 2} (33) 


R-3(hy) = {(Rx, Ry, Rkx, Rky) ■ 

(Rx, Ry, Rkx, Rky, hy) is admissible for case 3} (34) 

Theorems for these regions have been developed: 

Theorem 1: For 0 < hxy < H(X,Y) — acx — otcy + 
I(X',Y ; Z), 

Ri(hxy) = {(Rx, Ry, Rkx, Rky) '■ 

Rx > H(X\Y), 

Ry > H(Y\X), 

Rx + Ry > H(X, Y) 

Rkx + Rky > hxy} (35) 

Theorem 2: For 0 < h \ < H(X) — acx and 
0 < hy < H(Y ) — acy 

R-2(hy ) = {(Rx, Ry, Rkx, Rky) '■ 

Rx > H(X\Y ), 

Ry >H(Y\X), 

Rx + Ry > H(X, Y) 

Rkx + Rky > ma x(h x ,h Y )} (36) 

where TZi and 7^2 are the regions for cases 1 and 2 
respectively. Here, acx and o : cy are the common portions 
(i.e. the correlated information) of the i.i.d source Z (for 
I(X-,Z) and I(Y: Z) respectively) that are contained in Z 11 


per symbol. When hx = 0 then case 3 can be reduced to that 
depicted in ([36]). Hence, Corollary 1 follows: 

Corollary 1: For 0 < hy < H(Y) — acy, 

R^(hy ) = 7 ^ 2 ( 0 , hy) 

The security levels, which are measured by the total and 
individual uncertainties hxy and (hx,hy) respectively give 
an indication of the level of uncertainty in knowing certain 
information. When the uncertainty increases then less infor¬ 
mation is known to an eavesdropper and there is a higher level 
of security. The proofs of Theorems 1 and 2 are detailed in 
the appendix. 


VI. Information Leakage Using Matrix Partitions 


In this section the aim is to determine the equivocation 
(uncertainty) in retrieving the message from the transmit¬ 
ted channel information. We follow the convention used by 
Stankovic et al. HZ) to present an example together with 
a method incorporating generator matrix ranks put forth by 
Luo et al. j6 | and determine the equivocation. The Hamming 
distances are represented as follows: cLh(X k , Y K ) < 1 and 
d H (Y K ,Z K ) < 1. It is noted that there is some sort of 
correlation between X and Z due to the Hamming distance 
relations between (X K ,Y K ) and ( Y K ,Z K ). 

The following generator matrix G is used: 


1 0 0 0 1 0 1 
0 10 0 110 
0 0 10 111 
0 0 0 1 0 1 1 


The matrix takes the form: G = [JfcP T ] and here //,. is the 
identity matrix of order k and P T is made up of two 2x3 
matrices in this case. 

Suppose the messages to send across the channels for X 
and Y are given by: x = [ai Vi q\\ = [10 11 001] and y = 
[«2 a 2 <72] = [10 11 011]. 

There is compression along X’s and F’s channel. As per 
the matrix partition method the syndrome for X and Y is 
comprised of: 


T x 



Ty 



where is the G matrix transpose of rows 1-2 and columns 
5-7 and I ’] is the G matrix transpose of rows 3-4 and columns 
5-7. The generator matrices used by X and Y to achieve these 
syndromes are Gx and Gy respectively. 


G x 


0 0 10 1 
0 0 110 
1 0 0 0 0 
0 10 0 0 
0 0 10 0 
0 0 0 1 0 
0 0 0 0 1 
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Gy = 


1 0 0 0 0 
0 10 0 0 
0 0 111 
0 0 0 1 1 
0 0 10 0 
0 0 0 1 0 
0 0 0 0 1 


This results in syndromes of [1110 0] for X and 
[10 111] for Y. 

Here, the equivocation for these cases can be found using 
the G matrix specified above and a sub matrix of G. As 
per Luo et al. |6|, the equivocation is given by: A r | Tl , = 
rank(G) — rank(tJy), where A r | Tr is the equivocation on Y 
given Ty. 

Next, the information leakage for each of the following 
cases is analyzed: 


• The equivocation on (X K , Y K ) when (Tx, Ty) is leaked 

• The equivocation on (X K ,Y K ) when T x is leaked 

• The equivocation on (X K ,Y K ) when Ty is leaked 


In order to show the most representative results for each 
of the cases the scenarios contributing to the minimum and 
maximum information leakage have been considered. 

Before the information leakage method is described certain 
variables are introduced. Here, fir x and nr Y represent the 
number of wiretapped bits from Tx and Ty respectively. The 
length of the information bits from each syndrome is repre¬ 
sented as if and if for X K and Y K respectively. The length 
of parity bits with respect to X R or Y K is denoted as l p , and 
the following can be developed: if + if + 2 l p is the overall 
length of Tx and Ty. Hence we have: 0 < l-lT x < if + Ip 
and 0 < \xt y < if + Ip- 

Note that the leakage is determined using a combination 
of the information and parity bits and the parity matrix H 
rank. The H matrix rank is used to determine how much 
of information is leaked from the wiretapped bits, when 
the columns corresponding to the wiretapped bits have been 
removed. Let H' denote the H matrix with the wiretapped 
columns removed. 

The case for the leakage on ( X K ,Y K ) when (T x ,Ty) 
is leaked is now considered. Initially we consider when the 
maximum leakage is reached. When nr x < if and nr Y < if, 
the maximum leakage is fiy x + MTV + rank(iT) — rank(fT'). 
This considers when the information bits (namely v\ and U 2 ) 
have been leaked only. Next, if /ip Y > if and Hr Y > 1} is 
considered. For this case min ~ if 1 Mr y — if) parity bits 
can be from the corresponding positions in i f af ® q] and 
Pfaf ® qf. Therefore, the maximum leakage is lf+l} + 
Ht x + min (n Tx - lf,^r Y —lf)+ rank(iT) — rank (if 7 ). If 
I l T x > if an d YTy < if the maximum leakage is fj,y Y + 
if + rank (H) — rank(fT); if jir x < if and p, t y > if, the 
maximum leakage is \xy x +lf +rank(7T) —rank(fT'). Now we 
consider when the minimum leakage is reached. When fJ-T x < 
l p and < l P , the minimum leakage is max(0, p t x +Ht y — 
l p ) + rank (H) — rank( II'). This considers when the parity 
bits (namely Pf af ® qf and Pf af ® qj) have been leaked 
only. Otherwise, the minimum leakage is + Mty — l p + 


rank (if) — rank(TT'). For the numerical example considered 
the information leakage as represented above is depicted in 
Figure [4] 


Leakage on (X K ,Y K ) when (Tx.Ty) is wiretapped 



Figure 4. The information leakage on (X K , Y K ) when (T x , Ty ) has been 
wiretapped 


Next the information leakage for the second and third cases 
are determined. The leakage for these cases reach the same 
limit for the minimum and maximum cases of information 
leakage, however the information leakage peak occurs at dif¬ 
ferent points depending on which bits (information or parity) 
are leaked first. The leakage for the second and third cases 


respectively are as follows: Lf x = if and Lf y ^ = if . 

Using the numerical example for this section, the graphical 
representation is in Figure [5] The maximum case depicted 
is when the information bits are initially wiretapped and the 
minimum case is where the parity bits are initially wiretapped. 

Now the information leakage on (X K ,Y K ) when // bits 
of source Z is leaked is considered, which is done in two 
steps. First, since dn{Y K , Z K ) < 1, if there are 0 < p, < K 
bits (p = 0 is considered earlier in this section), the number of 
possible sequences including repeated sequences is + 

1). However, there are 2 h different sequences repeated 
K — n + 1 times and there are p2 A different sequences 
that possibly occur once. Second, from every possible Y K , 
there are eight possible sequences for X K with identical 
possibilities. Therefore, the information leakage due to Z 1 ' 
with respect to X K and Y K is detailed in (|37|. 


where H(X K 7 Y K ) = 10, H{X K \Y K ) = 3 and K = 7. 

The information leakage represented in ( fT7| i may be used 
in the cases explored in this section to separately determine 
the information leakage of Z v on X K and Y K . 

















Figure 5. The information leakage on (X K . Y K ) when T\ or Ty has 
been wiretapped 


In this example certain bits have more equivocation than 
others and as such which bits are wiretapped plays a role in 
making the system vulnerable at different times. For instance, 
following from the third case if only Ty is wiretapped from 
the parity bits then for the first 3 bits there is no information 
leakage due to Ty as the wiretapper would have encountered 
the masked bits. The information leakage occurs after the third 
bit, when 112 is wiretapped. This therefore shows an upper 
and lower bound on the uncertainty, where the upper bound 
is given when bits 112 is leaked first and the lower bound 
is given when the masked portion is first leaked. The parity 
bits are masked and are thus more difficult to be leaked to an 
adversary. Parity bits from both sources need to be wiretapped 
and in the same positions in order to leak information. In 
addition the Z v bits also contribute to the information leakage 
and the correlation between X K ,Y K and Z 1 ' plays a role in 
determining the overall leakage. 

In general, for a systematic code the columns that have a 
weight of one would contribute one bit to the information 
leakage entirely. With use of the matrix partition approach, if 
the parity bits of both Tx and Ty are wiretapped (and these 
bits are from the same columns in each generator matrix) 
then for every two parity bits wiretapped there is one bit 
of information leaked. The parity bits and the information 
bits can also be used to solve the parity matrix to determine 
the information leakage. If the wiretapped parity bits do not 
belong to the same columns then there is no information 
leakage at that point. 

This section shows the equivocation for the model set forth 
in Section II when various portions of the channel information 
and some source data symbols from Z are leaked. 

VII. Discussion 

The model presented herein is a more generalised approach 
of Yamamoto’s m model. If we were to combine the commu¬ 


nication links for X and Y into one link and wiretap from the 
link only, we would have a similar situation as per Yamamoto’s 
1181. The information transmitted along the channels do not 
have a fixed length as per Yamamoto’s ED method. Here, 
the channel information length may vary depending on the 
encoding procedure and nature of Slepian-Wolf codes, which 
is another feature of this model. 

At first glance, Yamamoto’s model may seem to be a 
generalisation of the Luo et al. |6;| model, however Luo et 
al. |6j incorporate a wiretapper at the source that introduces 
a more powerful adversary. In our work, we use a similar 
concept in that the information known to the eavesdropper 
is // source symbols for Z, which makes our model further 
different to Yamamoto’s and Luo et al. [6). 

The work by Yang et al. © uses the concept of side in¬ 
formation to assist the decoder in determining the transmitted 
message. The side information could be considered to be a 
source and is related to this work when the side information is 
considered as correlated information or when side information 
assists in decoding. Similar work with side information that 
incorporates wiretappers, by Villard and Piantanida HD and 
Villard et al. GD may be generalized in the sense that side 
information can be considered to be a source, however this new 
model is distinguishable as channel information transmitted 
across an error free channel can all be wiretapped. Another 
point is that the ZJ‘ wiretapped bits that the eavesdropper has 
access to helps with reducing the uncertainty of determining 
a message (as mentioned in Section I), can be considered as 
side information to the eavesdropper. 


VIII. Conclusion 

Knowing which components contribute most to information 
leakage aids in keeping the system more secure, as the required 
terms can be additionally secured. Here, we analyze the 
effect of an eavesdropper accessing a source and channel 
information in terms of the information leakage. In Section 
III the information leakage for the three correlated source 
model with the more powerful adversary was quantified and 
proven. It is seen that the common information portion and 
the wiretapped source are the weaknesses when information 
is leaked to the eavesdropper and will need to be secured 
for decreasing the information leakage. The Shannon cipher 
system approach has provided channel and key rates for perfect 
secrecy. A method for practical implementation has also been 
presented using a matrix partition approach. 


IX. Appendix 

This section initially proves the direct parts of Theorems 1 
- 2 and thereafter the converse parts. 


A. Direct parts 

All the channel rates in the theorems above are in accor¬ 
dance with Slepian-Wolf’s theorem, hence there is no need to 
prove them. We constmct a code based on the prototype code 
(Wx,Wy,Wcx,Wcy) in Lemma 1. In order to include a 
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key in the prototype code, Wx is divided into two parts as 
per the method used by Yamamoto 


W x i = W x mod M X1 G I Mxi = {0,1,2,..., M X1 - 1} (38) 


Wx - Wx 1 

W X2 = G I Mx2 = {0, 1 , 2 ,..., Mx 2 - 1} (39) 

ivlxi 

where M x i is a given integer and M x 2 is the ceiling 
of Mx/Mx i- The Mx/Mxi is considered an integer for 
simplicity, because the difference between the ceiling value 
and the actual value can be ignored when I\ is sufficiently 
large. In the same way, Wy is divided: 

W Y 1 = W Y mod M Y i G hi Y , = {0,1, 2 ,..., M Y i - 1} (40) 


Wy - Wy 1 

Wy 2 = G I My2 = {0,1, 2 , ..., My 2 - 1} (41) 

Myi 

The common information components Wcx and Wcy are 
already portions and are not divided further. In this scenario 
Wcx + Wqy lies between 0 and I(X\Y ). It can be repre¬ 
sented by X and Y, X only or Y only. It can be shown that 
when some of the codewords are wiretapped the uncertainties 
of X K and Y h are bounded as follows: 


Mcx and Mqy are described as Wei, Wc 2 , Met and 
Me 2 respectively by Yamamoto. Here, we consider that Wcx 
and Wqy are represented by Yamamoto’s Wei and Wc 2 
respectively. In addition there are some more inequalities 
considered here: 


1 


1 


=H(Y k \Wx,Wcx,Wcy,W Y 2 ) > — log M Y i 


K 


K 


- £n 


1 


(50) 


- H{Y k \W x ,Wcx,Wcy) > — log Myi 


I\ 


K 

+ ^7 log My 2 - Cq (5 1 ) 


—H(X K I W x 2 , Wcy) > 77 log M x 1 

A A 

1 


+ 77 log Mcx ~ e 0 152) 

A 


4 H(Y k \Wx 2 ,W C y) > 77 log Myi 

A A 


+ log M Y 2 + 77 log M cx 

A A 


- e n 


(53) 


^H(X k \W X 2 , W y ) > I(X ; Y) + ^ log M x 1 - e ' 0 (42) 

A A 


^H(Y k \W x ,Wy 2 ) > I(X- Y) + 4 log Myi - €o (43) 

A A 


-H(X k \W x ,W Y 2 ) > I(x ; Y) - e 0 (44) 

A 


^H(X k \Wx, Wy, Wcy) > 4 log M C x ~ e 0 (45) 

A A 


The inequalities ( [50] ) and can be proved in the same 
way as per Yamamoto ’sjU Lemma A2, and ( [52] ) and ( [53] ) can 
be proved in the same way as per Yamamoto’s m Lemma 
Al. 

Proof of Theorem 1 : Suppose that (Rx, Ry- Rkx, 
Rky) G 72.1 for h XY < H(X,Y)-acx-a C Y+I(X;Y-,Z). 

Then, from ( |35] > 

R x > H{X k \Y k ) 

R y > H{Y k \X k ) 


R x +Ry>H(X k ,Y k ) 


(54) 


^H(Y k \W x ,W y , Wcy) > ^7 logM cx - e 0 (46) 

A A 


RkX + RkY > hxY 


(55) 


^H(X K \W Yl Wcy) > H(X\Y) + ^ \ogM cx ~ (47) 

A A 


Here the keys are uniform random numbers. For the first 
case, consider the following: hxY > I(X;Y). 


-3 H(Y k \W y ,Wcy) > ^ log Mcx - e 0 (48) 

-H(Z^) >a z + a C x + a C Y - I(X; Y ; Z) - e' (j (49) 

F 

where e 0 —> 0 as e 0 —^> 0- Here, we indicate the wiretapped 
source symbols with the entropy in ( [49] ), where acx and 
acY are the correlated portions of the i.i.d source Z that are 
contained in Z 1 ' per symbol and ay is the private portion of 
Z. 

The proofs for ( |42| ) - ( [48] ) are the same as per Yamamoto’s 
|T 8 ) proof in Lemma Al. The difference is that Wcx, Wcy, 


Mxi = m in(2 KH ^ Y \2 K ^-^ x ’ Y ))) (56) 

Myi = 2 K{ - hxY - I{x ' Y )) (57) 

The codewords IL'i and W 2 and the key 144 x and I44y are 
now defined: 

W x = (W x 1 © W kY x, Wx 2 , W C x © W kCX ) (58) 

W 2 = (H'V-i © W k Yi , W Y2 , Wcy © W kCY ) (59) 
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Therefore ( Rx , Ry, i?/cy, /ijy) is admissible from 


W kX = w kc X 


W k Y = (WkYl,WkCY) 


(60) 


(61) 


77 log Mx + T log My 
A A 


< 


< 


J7 (log Mx 1 + log M X 2 

log Max) + 77 (log My 1 
log My 2 + log May) 
fT(X|Y) + fT(Y|X) 
/(X;Y)+3e 0 

M(X,y) + 3e 0 
Rx © Ry © 3eo 


— [log M kX 
1 


log M kY } 


= — [log M cx + log M C y + log My 1 ] 

< I(X-Y) + hxY-I(X-Y)-e 0 

= hxY — Co 

< -RfcX + RkY — Co 

where ( |82| results from ( |57| . 

The security levels thus result: 

^-H(X K , Y k \Wi,W 2, Z m ) 

A 

= 4 H(X k ,Y k \Wxi © W kY i, 

A 

Wx 2 , Wcx © Wkcx 
Wy 1 © IMfcyi, H V2 
Wcy © WkCY , z») 

K V K\ 


1 


> -H(X k ,Y k \WxuWx2, 

A 

Wy 1 © W fc yi, Wy 2 ) — Cq 


Next the case where: hxY < / (A r : Y) is considered. The 
codewords and keys are now defined: 


where W a £ Im 0 = {0,1,..., M a — 1}. The wiretapper 
will not know Wx 1 , Wcx Wy 1 and Wcy as these are 
protected by keys. 

In this case, R x . Ry , Rkx and R k y satisfy from <0 - 
( | 6 T] >, that 


Wi = (Wxi,Wx 2 , Wcx © W k cx) 
W'2 = (W Y1 ,W Y 2 ,W C y) 

W kX = ( W kCX ) 


M cx = 2 


Kh > 


(67) 


( 68 ) 


(69) 


(70) 


where W a € lM a = {0,1,... ,M a — 1}. The wiretapper 
will not know the W x and Wy that are secured with keys. 
In this case, R x , Ry, Rkx and R kY satisfy that 


(62) 


(63) 

(64) 


K 


[log M k x + log M k y] 


where ( fTT) results from ( fTO] , 
The security level thus results: 

H(X k ,Y k \W 1 ,W 2 ,Z^) = 


> 


= — log Mcx 

= h X y 

< RkX + RkY (71) 


^H(X k ,Y k \W X i,W X2 , 

A 

Wcx © W k cx, 

Wyi,Wy2, Wcy, Z^) 

— log M C x ~ a C x ~ olcy 


(65) 


= -H(X K ,Y K \W x ,W Y 2 ,Z»)-e 0 

> I(X'Y) + log My 1 

A 

- acx — olcy + I(X; Y: Z) - 2e 0 — e 0 

= I(X; Y) + h XY ~ I(X ; Y) - a C x - ol C y + I{X ; Y ; Z) 

- 2 <© ^ e o 


+ I(X; Y-,Z) — e 0 
= h X Y - acx — acY + I{X\Y\ Z) 
- eo (72) 

where ( ] 1 09[ > holds from ( |70[ >. 

Therefore ( R x , Ry, R k x , RkY, h X Y) is admissible from 

<0 - ( fl09l ). 

■ 

Theorem 2 proof: 

In the same way. Suppose that (R X , Ry, R k x, Rky) £ 

72.0 for h x ^ H(X) — acx — acY © I{X', V: i?) and hy © 

H(Y) — acx ~ acY +1(X; Y; Z). Without loss of generality, 
we assume that h x < hy. Then, from ([36]) 


= h X y — acx — acr + I{X\ Y : Z) — 2e 0 — 


( 66 ) 


Rx > H{X k \Y k ) 


Ry > H{Y k \X k ) 


Rx + Ry > H(X K ,Y K ) 

(73) 

Rkx + RkY > max(h x ,h Y ) 

(74) 


where 0 holds because Wcx and Wcy are secured by 
uniform random keys and the result of Yamamoto’s Lemma 
A2. 


Consider the following: h x > J(X; Y). 

Mxi = m m( 2 KH ^ Y \ 2 K ^~R x X))) 


(75) 
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M Y1 = 2 K ^~R X ’ Y )) 

The codeword W 2 and the key W k y is now defined: 

Wi = (Wxi © W kY i, W X2 , Wax © W kCX ) (77) 

W 2 = (W Y 1 © W k Yl,Wy2, WcY © Wk Cy) 

Wkx = Wkcx 

WkY = (WkYl,WkCY) 

In this case, Rx, Ry, R k x and R k y satisfy from <EU> 
( |80l >, that 


— log M x + 77 log My = 77 (log Mxi + log M x2 

A A A 


(76) 

^H(Y K \W 1 ,W 2 ) = 

jyH(Y K \W X i © Wkx\, 



W x 2 , Wcx © Wkcx 




Wy 1 © Wfeyi, Wy 2 


(77) 


W C Y®W kC Y,Z») 



> 

— log M Y i + I{X; Y) — acx 

A 


(78) 

- 

a CY + I(X;Y;Z)~e 0 



= 

I(X ; y) + min(77(X|F), hy - 

I(X;Y)) 

(79) 

- 

acx — acy + I{X;Y ; Z) — e 0 

(87) 


> 

/ 

hy- - e 0 

( 88 ) 

(80) 

where (|87) comes from (|76). 



Therefore (Rx, Ry, R k x, RkY, h x , hy) is admissible 
from ( [ 81 ) - ( 188 ) . 

Next the case where h x < I(X;Y ) is considered. If hy > 
I(X\Y) the following results. The codewords W\ and W 2 
and their keys W kx and W k y are now defined: 


+ log M C x ) + 77 (log My 1 
+ log My 2 + log M C y ) 

< H(X\Y) + H(Y\X) 

+ I(X;Y) + 3e 0 
= H(X,Y) + 3e 0 
^ R x + Ry © 3eo (81) 


Wi = (W X i,Wx 2 , W C x © W kCX ) (89) 

w 2 = (Wy 1 © WkYl, W Y2 , Wcy © W kCY ) (90) 

Wkx = ( W kCX ) (91) 


— [log M kx + log M k y] 

A 

= [log Max + log M C y + log Myi] 


I(X;Y) + h Y -I{X;Y)-e 0 

(82) 

hy — eo 


+ RkY — eo 

(83) 


The security levels thus result: 

j^H(X K \Wi, W 2 , Z M ) 

A 

= —H(X K \Wxi © WkYi,Wx 2 , Wcx © Wkcx 

A 

Wy\ © WkYl,Wy2, WCY © WkCY, Z^) 

> ^H(X K , Y K \W X1 © WkYi,W X 2,Wy 1 © W kY { 84) 
A 

WY 2 ,Z^)-e'o 

= ^H(X K , Y k \W X 2, W Y2 , Z' 1 ) - e " 

A 

> I(X; Y) + ^ log Mxi ~ a C x - a CY + I(X ; Y ; Z) 

A 

(85) 

- 2e o - e o 

= /(X; V) + mm(2 KI R x X\2 h --R x X)) 

- acx — occy + I{X;Y ; Z) — 2e 0 — e 0 

> h Y — olcx ~ olcy + I(X; Y; Z) — 2e 0 — e 0 

> h x ( 86 ) 


WkY = {WkYl, WkCY) (92) 

M Y 1 = 2 k ^-R x ’ y )) (93) 

where W a £ Im 0 = {0,1,... ,M a — 1}. The wiretapper 
will not know the W x and Wy that are secured with keys. 

In this case, R x , Ry, Rkx and R k y satisfy that 

77 [log M kX + log M k y] = [log Max + log M Y1 + log M C y] 

A A 

< I(X; Y) + jy log My 1 — e 0 

= I(X-,Y) + hy-I(X-Y)-eo (94) 

= hy — e 0 

< R k x + RkY + eo (95) 

where ( |94) results from ( |93) . 

The security levels thus result: 

^H(X K \W 1 ,W 2 ) 

A 

= ^H(X k \Wxi,W X 2 

A 

Wcx © WkCX,Wy 1 © WkYl,W Y 2 , 

W C y © W k cY, Z») 

> I(X-,Y)-acx-a C Y+I(X-,Y;Z)-e 0 (96) 

= I(X-,Y)-acx-a C Y+I(X;Y;Z)-e 0 (97) 

> h x — e 0 (98) 
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where ( [97] ) results from ( [93] ). 


^H{Y K \W 1 ,W i ) 

= ^H(Y k \Wxi,W X2 

A 

Wcx ® Wkcx, Wyi ® WkYi, 

Wy2,Wcy ® WkCY, Z^) 

> I(X:Y)+ ^logM ri 

A 

- Oicx — acY + I(X; Y; Z) — e 0 (99) 
= I(X-Y) + h Y - I{X-Y) 

- acx-a C Y+I(X;Y-Z)-e 0 (100) 

> h Y -e o ( 101 ) 

where ( | 1 ()()[ > holds from ( |93| >. 

Next the case where h Y < I(X: Y) is considered. The 
codewords W± and W 2 and their keys W k x and W k y are 
now defined: 

Wx = (Wxi,W X 2 ,Wcx ® W kCX ) ( 102 ) 


W 2 = (W y1 ,W Y2 ,W C y) (103) 


^H{Y K \W 1 ,W 2 ,Z> t ) = 1 H(Y k \Wxi,W X2 

A A 

Wcx ® Wkcx,W Y i,W Y 2 , 

w CY ,z») 

> JT log M cy - acx - a C Y 

+ I{X\ Y; Z) — e' 0 (110) 

> h Y - a cx - a C v +I{X-,Y\U) 

where (|TT 0 || holds from ( | 105| >. 

Therefore (Rx, Ry, Rkx, RkY, hx, h Y ) is admissible for 
min(h. A ', h Y ) ( | 1 02 | > - ( | 1 1 1 | >. ■ 


B. Converse parts 

From Slepian-Wolf’s theorem we know that the channel rate 
must satisfy Rx > H(X\Y), R Y > H(Y\X) and Rx+R Y > 
H(X,Y) to achieve a low error probability when decoding. 
Hence, only the key rates are considered in this subsection. 
Converse part of Theorem 1: 


W kX = Wkcx (104) 


M cx = 2 KhY (105) 

where W a £ lM a = {0,1,... ,M a — 1}. The wiretapper 
will not know the W\ and W Y that are secured with keys. 
In this case, R \, li Y , Rkx and R kY satisfy that 

4 [log M kx + log M kY ] = 4 log M C x 

A A 

= h Y (106) 

< RkX + RkY (107) 

where ( | 106[ > results from ( |105| ). 

The security levels thus result: 

^H(X K \W U W 2 ,Z») 

A 

= ^H{X k \Wxi,W X 2 

A 

Wcx ® Wkcx , Wyi , W Y2 , 

w cr ,zn 

> h Y — acx — olcy + I(X\Y\ Z) — e 0 (108) 

> h x -e o (109) 


Rkx > xx log M kx - e 

A 

> 3; H(W kx ) - e 

A 

> 4 H(W kX \W)-e 

A 

= H(W kX ) - I(W kX ; W)\ - e 

= ^H(W kX \X K ,Y K ,W) + I(W kX ;W) 

+ I(W kX -,X\Y, W) + I(X, Y, W kX \W) 

+ I(Y, W kx \X, W) - I{Wnx ; W) - e 

= ^x[H(X K , Y k \W ) - H(X K , Y k \W, W kx )] - e 

> hxy- ^H(X K ,Y K \W,W kX )-e (112) 

A 

= hxy — -jxH(Y k \X k ) — acx — olcy 

+ I(X-Y-Z)-e-e " 

> hxy - otcx - oicy + I{X\Y\ Z) — e — e 0 (113) 

where kF = (kFi, W 2 , •^ A ‘) are the wiretapped portions, 
( | 1 1 2 | > results from equation ( |3T| . Here, we consider the ex¬ 
tremes of H(Y\X) and H(W Y ) in order to determine the 
limit for R k x- When this quantity is minimum then we are 
able to achieve the maximum bound of hxY- 


where ( | 108| > results from ( |105| ). 
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RkY > -r; log M k y — e 

A 

> ~^H(W kY )-e 

A 

> —H(W kY \w)-£ 

= hH(W kY )-I{W kY -,W)-t 

A 

= ^H{W kY \X,Y,W) + I(W kY ;W) 

+ I(W kY ; X|Y, W) + J(X, y, W fcy |W) 

+ J(F, W kY \X, W) - 7(W fcy ; W)] - e 

= hH(X K ,Y K \W)-H(X K ,Y K \W,W kY )}-e 

A 

> h X Y-^H(X K ,Y K \W,W kY )-e (114) 

= hxY - -jpH(X K \Y K ) - acx - olcy 

A 

+ I(X;Y;Z)-e- e 'o 

> hxY - olcx - olcy + I(X; Y; Z) - e - e 0 (115) 

where ( |1 14| ) results from equation ( |3 1 [ ). Here, we consider 
the extremes of H(Vcx) in order to determine the limit for 
R k Y- When this quantity is minimum then we are able to 
achieve the maximum bound of h XY - 
Converse part of Theorem 2: 


RkX > 

f log M kx - e 

A 

> 

^H(W kx ) - e 

> 

4 H{W kx \W)-e 

A 

= 

UH(W kX )-I(W kX ;W)\-e 

A 

= 

^H((W kX \X K , W) + I(W kx ;W) 

A 


+ I(X,W kX \W) - I(W kX -,W) - e 

> fl(X K ,W kX \W)-e 

A 

= hH(X K \W)-H(X K \W,W kX )]-e 

A 

> h x — H(Wcy) — olcx — olcy + I(X; Y ; Z) 

- c-eo (116) 

> h x — acx — olcy + I(X-,Y; Z) — e — e 0 (117) 

where W = (Wi, W 2 , Z 1 *), ( | 1 1 6[ > results from (|29|. The 
consideration here is that II (Y K ' 2 ) represents the preexisting 
information known to an eavesdropper as an extreme case 
scenario. Here, we can also consider the extremes of H(Wcy) 
in order to determine the limit for R kX - When this quantity 
is minimum then we are able to achieve the maximum bound 
of h x - 


RkY > 

f log M kY - e 

A 

> 

^H(W kY ) - e 

> 

^H(W kY \W)-e 

A 

= 

^[H(W kY )~I(W kY -,W)]-e 

= 

^H(W kY \Y K ,W) + I(W kY -,W) 


+ I(X, W kY \W) - I(W kY ; W ) - e 

> ^ I(Y K ,W kY \W)-e 

A 

= H(Y K \W)-H(Y K \W,W kY )\-e 

> h Y — H(Wcx) — olcx — ocy + I(X;Y ; Z) 

- e-eo ( 118 ) 

> h Y — acx ~ ocy + I(X; Y; Z) — e — e 0 (119) 

where ( | 11 8| > results from (|30|. The same consideration as 
above for H(Z^) is presented here. Here, we consider the 
extremes of H(Wcx ) in order to determine the limit for R k Y- 
When this quantity is minimum then we are able to achieve 
the maximum bound of h Y . 
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